7.5
CVE-2018-1000817
- EPSS 0.56%
- Veröffentlicht 20.12.2018 15:29:00
- Zuletzt bearbeitet 21.11.2024 03:40:25
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginAsset Pipeline Grails Plugin Asset-pipeline plugin version Prior to 2.14.1.1, 2.15.1 and 3.0.6 contains a Incorrect Access Control vulnerability in Applications deployed in Jetty that can result in Download .class files and any arbitrary file. This attack appear to be exploitable via Specially crafted GET request containing directory traversal from assets-pipeline context. This vulnerability appears to have been fixed in 2.14.1.1 (for Grails 2.x), 2.15.1 (for Grails 3 and Java 7) and 3.0.6 (for Grails 3 and Java 8).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Asset Pipeline Project ≫ Asset-pipeline SwPlatformgrails Version < 2.14.1.1
Asset Pipeline Project ≫ Asset-pipeline SwPlatformgrails Version > 2.14.1.1 < 2.15.1
Asset Pipeline Project ≫ Asset-pipeline SwPlatformgrails Version > 2.15.1 < 3.0.6
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.56% | 0.674 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.